Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for the SAP R/3 Compliance Add-on

SAP Functions and Identity Audit Setting up a Synchronization Project for Synchronizing SAP Authorization Objects Base Data for SAP Functions Finding Non-compliant Authorizations Setting up SAP Functions Compliance Rules for SAP Functions Mitigating Controls Appendix: Configuration Parameters for SAP Functions Appendix: Default Project Templates for the SAP R/3 Compliance Add-on Module Appendix: Referenced SAP R/3 Tables and BAPI Calls

SAP Functions and Identity Audit

SAP Functions and Identity Audit

The One Identity Manager can be used to define rules that maintain and monitor regulatory requirements and automatically deal with rule violations. Define compliance rules, to test entitlements or combinations of entitlements in the context of identity audit for employees in the company. On the one hand, existing rule violations can be found by checking rules. On the other hand, possible rule violations can be preemptively identified and this prevented.

Figure 1: Identity Audit in One Identity Manager

In addition to rule checking, One Identity Manager offers a very detailed examination of effective authorization for SAP R/3 target systems for SAP user accounts. By linking SAP user accounts to employees, combinations of SAP authorizations that an employee obtains through different SAP user accounts can be checked. Potentially dangerous authorizations and combinations of them can easily be recognized this way and the necessary action taken.

SAP authorizations are verified on the basis of the transactions permitted for a user account and the associated authorization objects. To do this you have to define the transactions and authorization objects you want to verify to be such SAP functions in the One Identity Manager. The SAP finds all the One Identity Manager roles and profiles that have exactly these authorization objects and transactions assigned to them. User accounts match the SAP functions if they are a member in the SAP roles and profiles that have been found.

In order to check whether there are potentially dangerous SAP authorizations in the company, define SAP functions that are critical for these authorizations. Find out which employees match these SAP functions by using compliance rules.

If employees are granted SAP authorizations through IT Shop requests, the authorizations that are not permitted can be detected and handled respectively when the request is made with the appropriate approval procedures. For detailed information about approval procedures in the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Based on this information, you can made corrections to data in the One Identity Manager and transfer them to the connected SAP R/3systems. The integrated report function in the One Identity Manager can be used to provide information for the appropriate tests.

NOTE: SAP R/3 Compliance Add-on Module and Compliance Rules Module must be be installed in order to set up and analyze SAP functions.

One Identity Manager Users for Managing SAP Functions

Users for Managing One Identity Manager FunctionsSAP

The following users are used for managing SAP functions.

Table 1: Users
User Task

Compliance rules administrators

Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Administrators.

Users with this application role:

  • Enter base data for for setting up company policies.
  • Create compliance rules and assign rule supervisors to them.
  • Can start rule checking and view rule violations as required.
  • Create reports about rule violations.
  • Define SAP functions and assign these to managers.
  • Define function instances and variables sets for SAP functions.
  • Enter mitigating controls.
  • Create and edit risk index functions.
  • Monitor Identity Audit functions.
  • Administer application roles for rule supervisors, exception approvers and attestors.
  • Set up other application roles as required.

Responsible for maintaining SAP functions.

Administrators must be assigned to the application role Identity & Access Governance | Identity Audit | Maintain SAP functions or to a child role.

Users with this application role:

  • Are responsible for SAP function contents.
  • Edit working copies of function definitions for which they are responsible.
  • Define function instances and variables sets for SAP functions.
  • Assign mitigating controls.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.
Compliance & Security officers

Compliance and security officers must be assigned to the application role Identity & Access Governance | Compliance & Security Officer.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules and rule violations, critical SAP functions and risk index functions.
  • Edit attestation polices

Prerequisites for Setting Up SAP Functions

Prerequisites for Setting Up SAP Functions

Table 2: Configuration Parameters for Handling SAP Functions
Configuration parameter Meaning
QER\ComplianceCheck

Preprocessor relevant configuration parameter for controlling the database model components for checking the rule base. Changes to the parameter require recompiling the database. If the parameter is enabled the target system modules are available.

TargetSystem\SAPR3\SAPRights

Preprocessor relevant configuration parameter for controlling component parts for testing authorizations in SAP R/3 using SAP functions. If the parameter is set, the components are available. Changes to the parameter require recompiling the database.

All the information regarding SAP authorizations, SAP users, SAP roles and SAP profiles must be transferred to the One Identity Manager database so that One Identity Manager can test the effective SAP authorizations based on SAP functions.

Setting Up SAP Functions

  1. Check in the Designer that the configuration parameters "QER\ComplianceCheck" and "TargetSystem\SAPR3\SAPRights" are set. Otherwise, set the configuration parameter and compile the database.
  2. Set up a synchronization project for synchronizing the necessary SAP schema types and start synchronization.
Detailed information about this topic

Setting up a Synchronization Project for Synchronizing SAP Authorization Objects

Setting up a Synchronization Project for Synchronizing SAP Authorization Objects

SAP authorizations are verified on the basis of the transactions permitted for an SAP user account and the associated authorization objects. Authorization objects and transaction must be loaded into the SAP database first before you can create One Identity Manager functions. For each client, create a synchronization project for synchronizing the necessary schema types. A separate project template is required for this.

Use Synchronization EditorClosed to configure synchronization between the One Identity Manager database and SAP R/3.

To set up a synchronization project for SAP authorization objects.

  1. Set up an initial synchronization project as described in the One Identity Manager Administration Guide for Connecting to SAP R/3. The following anomalies apply:
    1. Select the project template "SAP R/3 authorization objects" in the project wizard on the page Select project template.
    2. The page Restrict target system access is not shown. The target system is only loaded.
  2. Configure and set a schedule to execute synchronization regularly.
Detailed information about this topic
  • One Identity Manager Administration Guide for Connecting to SAP R/3
  • One Identity Manager Target SystemClosed SynchronizationClosed Reference Guide
Related Topics
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents